Continuing misunderstandings about ICS cyber security

June 24, 2016

It is mid-2016. “SCADA security” or “ICS security” are now being used in many cyber security conversations. However, in most instances, ICS cyber security is still not being adequately understood or addressed.

After more than 17 years in ICS cyber security, there is still a very significant gap in understanding this subject. It seems that with the exception of the national labs and a core group of experts (almost none from the electric utilities), the only other group with a real understanding of ICS cyber are the attackers. It is scary to think that policy makers are being guided by people who simply don’t understand ICS cyber issues. Consequently, after reviewing or participating in hundreds of conferences, papers, and many Congressional hearings, enclosed are my view of continuing misunderstandings of ICS cyber security (in no particular order)

- In general, ICS and IT organizations still do not understand or work well with each other. Moreover, the concept of Operational Technology (OT) is poorly defined. Moreover, OT is not the control system organization. Consequently, the concept of bridging the IT/OT divide is very misleading.

- The “C suite” (senior executives) still generally views cyber security as a data breach issue and not an ICS issue.  As there are so few publicly identified ICS cyber incidents, they generally believe ICS cyber threats are not real or relevant. Most often, Stuxnet is dismissed as irrelevant. Additionally organizations such as NERC continue to mislead the electric industry and even Congress about the reality and impact of the real cyber threats to the electric grid.

- ICS cyber security is not IT security. ICS cyber security must address the entire control loop from the field devices to the ICS communication protocols to the controllers to the data acquisition systems to the master stations (e.g., SCADA and DCS). This means we do care about network issues, but we also care about ICS issues that are independent of the network. Whereas Distributed Denial of service (DDOS) is an issue for ICS as well as IT, DDOS is often not the most critical threat for ICS. For ICS, the most critical threats are denial of control and/or denial of view.

- ICS cyber security threats are real and they don’t have to be malicious. A cyber incident is the electronic communications between systems affecting Confidentiality, Integrity, or Availability (and Safety even though IT typically doesn’t understand this subject). There have already been more than 800 actual ICS cyber incidents. Most incidents were not identified as cyber because of the lack of ICS cyber forensics and training at the control systems level 1 (non-Internet Protocol) layer. In many cases, the only difference between malicious and unintentional is motivation – the impact is the same. Moreover, a knowledgeable attacker would make the event look like a mechanical or electrical failure not a cyber attack. The impacts can, and have, been devastating – major equipment destruction, significant environmental releases, and loss of life. It is very feasible to bring segments of the electric grid down for 9-18 months. I do not believe we can defend the critical infrastructures against sophisticated cyber attacks, particularly from nation-states. Compliance regimes such as the US Bulk electric system NERC CIPs are not only insufficient, they are dangerous because they can lull an electric utility company into believing they are doing enough.

- Cyber vulnerabilities are not automatically a threat to ICS operation. Control systems were designed to operate without a network. The network provided a means of sharing data and information. Some malware such as BlackEnergy is used to exfiltrate information in order to plan attacks. Consequently, cyber vulnerabilities need to be identified and evaluated for impact and the malware removed. (Currently, NERC CIP requirements do not require removal of malware.)

- ICS cyber security contingency plans need to be relevant. The Ukrainian hack of the grid demonstrated that the ability to operate the system manually for an extended period of time is essential. I do not believe the US grid could be operated in manual operation for an extended period of time.

- The electric industry believes that islanding and having backup large transformers is sufficient to address possible cyber threats. However, islanding may not be sufficient as the same vendors supply the islanded grids. Additionally, since cyber attackers go after the transformer protection resulting in damage to the transformers, having large spare transformers many not be an answer to a determined cyber attack against the grid.

- ICSs should not be connected directly to the Internet. For productivity reasons, having ICSs with indirect access to the Internet is very valuable. However, having ICSs connected directly to the Internet is very dangerous. It is not clear if the “Internet of Things” means a direct connection to the Internet. The danger of control system directly connected to the Internet was made explicitly clear by DHS and was demonstrated by the Ukrainian hack. Yet Project Shine identified more than 2 Million ICS and ICS support devices connected directly to the Internet. More than that, there are now cyber exploits for most of the ICS vendors available on the Internet for free. I would expect the insurance companies and the Wall Street rating agencies to be aware of the very critical concern of connecting ICSs to the Internet.

- Safety systems should be independent of control systems. Highly “sensitive” systems such as nuclear plant safety systems and Safety Instrumented Systems (SIS) should not be connected to control systems. Interconnecting control and safety systems removes their independence. Given the number and frequency of DHS ICS-CERT cyber vulnerability disclosures, how can one depend on these systems for critical safety applications?

- ICS cyber security metrics and appropriate procurement guidelines need to be developed. The ICS cyber security metrics developed to date do not address ICS-unique issues. The ICS procurement guidelines developed to date to do not address field devices in any significant detail.

It is mid-2016. “SCADA security” or “ICS security” are now being used in many cyber security conversations. However, in most instances, ICS cyber security is still not being adequately understood or addressed.

Joe Weiss